Ddos 
A critical vulnerability has been discovered in EverShop, a modern, developer-focused e-commerce platform built on React and GraphQL. The flaw, tracked as CVE-2026-25993, is a “Second-Order SQL Injection” that carries a CVSSv4 score of 9.3, posing a severe threat to online stores running vulnerable versions of the software.
The vulnerability strikes at the core of how EverShop handles product and category URLs, turning a standard database update into a potential takeover event.
Unlike a traditional SQL injection where an attack happens immediately upon input, a Second-Order SQL Injection is a ticking time bomb. The malicious data is first stored innocuously in the database, only to be executed later when the application retrieves and uses it.
In this case, the flaw lies in the url_key field, which defines the web address for product categories. The advisory explains: “During category update and deletion event handling, the application embeds path / request_path values… into SQL statements via string concatenation”.
Because these values are derived from the stored url_key, an attacker who can modify a category’s URL key (perhaps via a compromised low-level account or another flaw) can plant a malicious SQL command.
“If a malicious string is stored in url_key, subsequent event processing modifies and executes the SQL statement,” leading to the injection. This could allow attackers to manipulate the database, steal customer data, or potentially gain administrative control.
The maintainers have addressed this critical issue in the latest update. Developers and store owners using EverShop are strongly advised to upgrade immediately to version 2.1.1 or higher to neutralize this risk and secure their storefronts.
Related Posts:
- AWS Unleashes Enterprise AI: Bedrock AgentCore & $100M Boost for AI Agent Development
- X Opens Username Marketplace to Premium+ Users: Rare Handles Cost Millions?
- Microsoft says our most popular server product runs on Linux
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
